I was recently looking to create a merchant account at CCAvenue, which is a leading Payment Portal for online payments in India. Part of this process is a requirement where you have to provide a username and a password for accessing your merchant account. Below is a screenshot of an error that I encountered while trying to do this:
Also, notice that the password can only be a maximum of 8 characters. I found this to be quite appalling. These guys are PCI Data Security Standard Compliant, they are HackerSafe, and they also carry the VeriSign Seal. From my past experience at work, I know that one of the requirements of PCI Compliance is to have a Strong Password Policy in place.
Here’s how Microsoft defines Strong Passwords. I tried checking several 8 character passwords (without special characters) using the Microsoft Password Checker. And none of them could be classified as Strong; the best I got was Medium. Several policies available on the internet define the minimum password length for a strong password to be 8. And almost all the policies I came across recommend/require at least a number and a special character in the password.